The platform lane for sites already on Cloudflare: install this Worker and AI agents that land on your site get funneled to your Superspice wall (signposted to your paid endpoints, or charged a toll) while humans browse exactly as before. No DNS changes — it runs inside your existing zone.
The button clones this Worker into your Cloudflare account and prompts for the three values below.
Or with the CLI:
git clone https://github.com/sashakhxn/superspice-cloudflare-worker
cd superspice-cloudflare-worker
npx wrangler deploy
npx wrangler secret put FORWARD_SECRET # paste the value from your dashboardFrom your Superspice dashboard → Domains → your domain card:
| Value | Where it goes | From |
|---|---|---|
GATEWAY_URL |
[vars] (default already correct) |
https://gw.superspice.xyz |
FRONTED_HOST |
[vars] |
your domain, e.g. blog.you.com |
FORWARD_SECRET |
secret (wrangler secret put) |
the "No-DNS option" secret on the card |
Then add a route so the Worker runs on your site, e.g.
blog.example.com/* on your zone.
Cloudflare blocks AI crawlers by default, and that rule runs at your edge
before this Worker. Left on, paying agents get a 403 before they ever
reach the wall. Turn it off — or scope it to exclude the agents you want to
monetize — under AI Crawl Control (older dashboards: Security → Bots).
This is the one setting no install can change for you; it's yours.
- Requests carrying your
FORWARD_SECRETare the wall fetching your site (loop-break) → served normally. /.well-known/ai-catalog.json+/llms.txt→ proxied from your wall, so agents get your machine-readable menu on your domain.- Detected agents' GET requests → forwarded to your wall, which applies your signpost/toll settings. Humans are never touched.
- Fail-open always: any failure to reach the wall serves your site normally. This Worker can never take your site down.
The agent-detection list mirrors @superspice/shared/agent-detect (the tested
source of truth); the wall re-detects authoritatively on its side.